Blog

Monthly Breach Report: March 2021 Edition

February, as brief as it was, turned out to be a historical month from a data breach point of view. Here are some of the top breaches reported last month.

COMB-ing Through A Mess

It’s rare that a breach is successfully committed on such a massive scale that even the most inured security experts take notice. When a cyber-crime shocks experts, they delve in to analyze and understand how it was orchestrated and completed—and how its wake may affect the world.

On February 2, 2021, the Compilation of Many Breaches (COMB) pulled in more than 3.2 billion unique pairs of readable emails and passwords. The pure size of the breach stands it in a class of its own, historically. The vastness of its reach is stunning considering Earth’s population at last count was less than 8 billion people.

Not all people use the internet or have email accounts; the estimated number of internet users is around 4.7 billion. Thus, COMB would potentially include some personal data of up to 70% of the world’s internet users.

COMB contains over twice the most recent major breach in 2017 when 1.4 billion sets of personal account information were stolen. At least three scripts are common to both breaches, one for count totals, one of querying emails, and one for sorting the data.

The early analysis indicates, as its name also reveals, that COMB is not a new, distinct breach, but is thought to be a sort of gathering vortex of multiple breaches. Some of the most popular services are the sources for the account pairings that have been breached and stolen. Gmail, Yahoo email, Netflix, LinkedIn, Bitcoin, and several more were sources for the total Compilation of Many Breaches. What’s more, there is some evidence that older Hotmail and Yahoo accounts were cleaned out before being added into the vortex.

Of course, the full impact is not yet known, but experts anticipate there will be colossal outcomes and that some impact is already being felt. One significant area of negative outcomes—likely the most harmful—is that credential stuffing attacks will be commonplace. Stealing personal information this way happens when users use the same username and password for multiple sensitive accounts. The other undesired experience is that users whose credentials are contained in COMB will be vulnerable to extensive spear-phishing attacks and receive inordinate spam in texts and emails. Ultimately, stolen identities lead to ruined credit scores, falsified loan obligations, and potentially damaged reputations.

For companies, the critical step is to discover, locate, and protect all sensitive and personal information of employees, customers, and all individuals associated with the companies. Individuals need to investigate for themselves whether or not any of their accounts were pulled into the largest breach of all time. This service will email you back with its findings: Hack Check

Sources:

Thousands of Californian Motorists Check In

In the US, California residents who’ve registered their cars in the state within the past 20 months were dismayed to learn their personal information could be in the datasets leaked in the early February 2021 breach. The DMV estimates up to 38 million records may have been impacted and the personal data in them stolen. It was not clear to the DMV whether the information had yet been misused.

A contracted third-party company, Automatic Funds Transfer Services, Inc. (AFTS), was attacked by cybercriminals and personal data was leaked. The California DMV stopped their services with AFTS immediately on hearing of the breach on February 17, 2021, and engaged a different company to provide seamless registration verification service operations for Californians.

DMV Director Steve Gordon said, “We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with.” (KRON4)

Expected personally identifiable information leaked includes individuals’ names, addresses, license plate numbers, and vehicle identification numbers (VINs) dating back to at least August 2019. The FBI is involved in the incident investigation. Californians concerned whether they are affected can reach the DMV and are urged to report suspected activity to law enforcement.

Sources:

Less Than Sure with DriveSure

Auto dealerships use DriveSure to offer car owners preventative maintenance services, train their employees, offer drivers roadside assistance, emergency car rentals, and other offerings to increase people’s perceived value of remaining a dealership customer. They use personalized email, mobile apps, and text messages to communicate and remind customers to engage.

Hackers published information on 3.2 million car customers pulled from DriveSure on a site called Raidforum. The post included complete back-end folders and files. The extensive range of personal data included “names, home and email addresses, phone numbers, car and damage details, text and email messages with dealerships, and over 93,000 bcrypt hashed passwords.”  (Infosecurity Magazine)

There were also tens of databases in folders, some holding more than 20 GB of data, including dealership inventory, revenue, claims, internal reports, and customer data. There were over 15,000 government and military email addresses as well as over 5,000 S&P 100 enterprise email addresses.

These types of data are valuable to threat criminals who use them to access and steal more information from bank accounts, insurance, and other accounts, and company internal systems. Extortion and spear-phishing are other malevolent uses for these types of stolen personal data.

The threat actor “pompompurin” already leaked seven other corporate databases in 2021. The free sharing of information leads investigators to expect the criminal is trying to build a valuable reputation for infiltrations in selling information they would be hired for in the future.

Sources:

Clean Up in Aisle Five

Cinncinati-based grocery chain Kroger Company self-identified as a victim of a data breach due to a third-party file-transfer service.

“The Cincinnati-based grocery and pharmacy chain said in a statement Friday, Feb. 19, 2021, that it believes less than 1% of its customers were affected, specifically some using its Health and Money Services, as well as some current and former employees because a number of personnel records were apparently viewed.“ (Associated Press)

Accellion is the development company of the hacked file-transfer product, File Transfer Appliance (FTA). Kroger had been using it to share email attachments and in instances when large data transfers were needed. Accellion had informed Kroger that an unauthorized user had gained access through a weakness in their service. Other Accellion FTA customers have experienced hacks in similar ways.

The newer product, Kiteworks, is recommended by Accellion given its four-year clean record in Accellion markets. Companies are far better served when they monitor their third-parties’ data protection activities. Better yet, companies that protect all personal data they keep—especially any sensitive data used externally or shared—don’t lose personally identifiable information data to hackers.

Given that HR, money service, and pharmacy records with sensitive personal data were compromised in the Kroger breach, the company is reaching out to affected customers and providing free credit monitoring.

Sources:

Cautious Company Experiences Data Breach

A Filipino digital credit company, Cashalo, experienced a massive data breach in February. Hackers gained access to an internal database archive containing customer usernames, email addresses, phone numbers, passwords, and device IDs. The country’s National Privacy Commission (NPC) began a probe discovering nearly 3.3 million data records were already sold on the dark web. In addition, sample data was displayed for potential criminal buyers. Stolen raw data was for sale on forums by February 14.

What Cashalo had done by way of precaution was positive, but not sufficient. Encryption was implemented to avoid customer accounts and passwords from being compromised. Had a complete scan been run on all personally identifiable information across the enterprise, subsequent discovery and protection would render the data that was stolen useless.

“We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” NPC stated.

Sources:

Prestigious Law Firm Falls Prey to Sophisticated Cyber Crime

One of the most elevated international law firms realized their server had been infiltrated. The responsible criminals attempted but failed to extort the firm for data recovery. Then the hackers uploaded gigabytes of highly sensitive personal data to their dedicated leak site. The attack is claimed by a gang of CLOP ransomware hackers.

The stolen sensitive data is impacting a slew of the law firm’s high-profile clients. Client names are not being shared, however, the firm has represented over half the Fortune 500 in its tenure, and a year ago represented then-President Donald Trump in a filed lawsuit. It’s not believed that personal data from that lawsuit was impacted.

Archives posted to the site include sensitive infiltrated emails and sophisticated, multi-part caches of other files with important personal data in them. It is not possible to overly emphasize the vital nature of companies using the best possible technology to discover throughout all files and data stores every element of sensitive data, down to that element level. Companies need to scan not merely some devices or some repositories, but across the entire enterprise. Once all sensitive data is discovered, located, indexed, and appropriately protected, cyber thieves and embezzlers will hold no power over those protected companies.

Sources:

Don’t let your company’s data show up in the next data breach headline. Find out how PKWARE can help you find and protect all your sensitive data. Get your free demo now.